You are here: Technician's functions > The Network Injector > Injection rule data

Injection rule data

Data that define the available infection rules are described below:

Data Description

Enabled

If selected, the rule will be sent to the Network Injector.

If not selected, the rule is saved but not sent.

Disable on sync

If selected, the rule is disabled after the first synchronization of the agent defined in the rule.

If not selected, the Network Injector continues to apply the rule, even after the first synchronization.

Probability

Probability (in percent) of applying the rule after the first infected resource.

0%: after infecting the first resource, Network Injector will no longer apply this rule.

100%: after infecting the first resource, Network Injector will always apply this rule.

Tip: if a value greater than 50% is applied, we recommend you return the value to 0% after successful installation is verified (after synchronization), or use the option Disable on sync.

Target

Name of the target to be infected.

Ident

Target's HTTP connection identification method.

NOTE: Network Injector cannot monitor FTP or HTTPS connections.

Each method is described below:

Data Description
STATIC-IP

Static IP assigned to the target.

STATIC-RANGE

Range of IP addresses assigned to the target.

STATIC-MAC

Target's static MAC address, both Ethernet and WiFi.

DHCP

Target's network interface MAC address.

RADIUS-LOGIN

RADIUS user name. User-Name (RADIUS 802.1x).

RADIUS-CALLID

RADIUS caller ID. Calling-Station-Id (RADIUS 802.1x).

RADIUS-SESSID

RADIUS session ID. Acct-Session-Id (RADIUS 802.1x).

RADIUS-TECHKEY

RADIUS key. NAS-IP-Address: Acct-Session-Id (RADIUS 802.1x).

STRING-CLIENT

Text string to be identified in the data traffic from the target.

STRING-SERVER

Text string to be identified in the data traffic to the target.

TACTICAL

The target is not automatically identified but can be identified by the operator on Tactical Network Injector. Only after the device is identified by the operator is the Ident field customized with the data received from the device.

User pattern

Target's traffic identification method. The format depends on the type ofIdent selected.

Method Format

DHCP

STATIC-IP

STATIC-MAC

Corresponding address (i.e.: "195.162.21.2").

STATIC-RANGE

Address range separated by '-' (i.e.: "195.162.21.2-195.162.21.5".

STRING-CLIENT

STRING-SERVER

Text string (i.e.: "John@gmail.com").

RADIUS-CALLID

ID or part of the ID.

RADIUS-LOGIN

Name or part of the user name.

RADIUS-SESSID

ID or part of the ID.

RADIUS-TECHKEY

Key or part of the key (i.e.: "*.10.*").

TACTICAL

A value cannot be set. The correct value will be set by the field operator.

Resource pattern

Identification method of the resource to be injected, applied to the Web re source URL. The format depends on the type of Action selected.

NOTE: leave empty if the selected action is INJECT-UPGRADE.

 

Action type Resource Pattern Content
INJECT-EXE

URL of the executable file to be infected. Use wildcards to increase the number of matching URLs.

Examples of possible formats:

*<nameExe>*.exe

www.mozilla.org/firefox/download/firefoxsetup.exe

NOTE: when a full path is specified, be careful of any mirrors used by websites to download files (i.e.: "firefox.exe?mirror=it").

Tip: enter *.exe* to infect all executable files, regardless of the URL.

IMPORTANT: for example, if *exe* is entered without the '.' file extension separator, all the pages that accidentally contain the letters "exe" will be injected.

INJECT-HTML

URL of the website to be infected.

Examples of possible formats:

www.oracle.com/

www.oracle.com/index.html

NOTE: the site address must include the final '/' character if an HTML or dynamic page is not specified (i.e.: "www.oracle.com/").

NOTE: a redirect page cannot be infected. Check the browser for the correct site path before using it in a rule.

INJECT-UPGRADE

Not used.

REPLACE

URL of a resource to be replaced.

Action

Infection method that will be applied to the resource indicated in Resource pattern:

Method Description
INJECT-EXE

Infects the downloaded EXE file in real time. The agent is installed when the target runs the EXE file.

INJECT-HTML

Adds a Java applet to the Web page. When the target opens the page, java code execution must be accepted to install the agent.

Tip: to avoid warning messages displayed by the target's system, we recommend you purchase a valid certificate to sign the Java applet.

Please contact HackingTeam technicians for further details.

INJECT-UPGRADE

Notifies the Java Runtime Environment on the device that an update is available. The agent is installed when the target installs the update. Does not refer to Resource pattern.

REPLACE

Replaces the resource set in the Resource pattern with the supplied file.

Tip: this type of action is very effective when used in combination with Exploit generated documents.

 

Agent

For all actions except REPLACE. Agent to be injected into the selected Web resource.

File

For REPLACE Action only. File to be replaced with the one indicated in Resource pattern.

 

RCS8.2 | User's and Installation Guide | © COPYRIGHT 2012